According to design of App Security Group (ASG) the applications should be restarted to apply the ASG for the following scenarios

• New ASG is created and bound to running applications
• ASG is unbound from running applications
• Existing ASG, which is being bound to running applications, is updated 

Refer to TAS document for more information about ASG.

There are several approaches to restart an application on TAS foundation. However it's found that restarting application with command cf restart-app-instance won't result in ASG getting applied.  This is a designed behaviour which is also confirmed by product team.

TAS

Instead of using cf restart-app-instance command, take any of the following ways to restart an application to apply ASG. 

• Run cf restart command
• Restart application through Apps Manager web UI
• Rolling restart application to avoid downtime. For example, cf restart APP-NAME --strategy rolling. Refer to document for more information